As network, development and security groups view virtualization as a nonstandard technology, it can prove a hard sell in the IT workspace. Educating the various teams that will interact with virtualization counteracts this type of resistance and gets everyone on board as part of an overall virtualization strategy. Once people discover the great benefits of virtualization, they will be better prepared and more willing to help implement it. Below are examples of some types of resistance one might experience from each group and how managers can deal with them.
Selling virtualization to network groups
A network technology often used with virtualization is 802.1Q virtual local area network (VLAN) tagging. It provides the ability to use multiple VLANs on a single virtual switch and is almost a must have in large environments. Without it you would have to create a separate virtual switch for each VLAN and dedicate at least one network interface card (NIC) to it. Network people don't often utilize this technology on physical servers and might not have much experience with it in general. However, it is fairly simple to setup. VMware published a good technical paper on the subject, detailing configuration and implementation. Let's use VMware as an example of the type of virtualization technology that one might be introducing to an IT department.
One situation that might cause network guys to push back on virtualization might be found while connecting virtual machines to a public DMZ and keeping an ESX service console on a private internal network. The fear is that the ESX server, straddling the DMZ and having connections to both the private and public networks, presents a potential target which could compromise a virtual machine (VM) in the DMZ and allow an attack to gain access to an internal network. However, the design of ESX does not allow for this to occur and the only scenario that would allow this to happen would be if someone configured a VM with 2 vNICs, one being on an internal network vSwitch and the other on an external network vSwitch which you would never want to do.
To make the case to your network team:
- Explain the concept of virtual switches and virtual NICs, how they interact with physical switches and physical NICs.
- Show how 802.1Q VLAN tagging works in a virtual networking environment.
- Explain virtual network security principles and how virtual switches are isolated from each other so traffic doesn't leak between them.
- Demonstrate the setup and configuration of a virtual switch and how virtual machines are connected to it via virtual NICs.
Selling virtualization to development groups
Virtualization can be a great benefit to application developers. Developers are typically concerned that their applications may not run properly on virtual hardware. Virtualization actually provides the same exact virtual hardware to each virtual machine which will provide consistent hardware to developers across all environments, such as development, testing, production, etc., eliminating potential problems that may be caused by using different hardware on different servers running the same applications.
Developers might also be concerned that application vendors will not support their products in virtual environments. Although most vendors do provide support for their products running on virtual servers, it's a good idea to make a list of your applications and get statements of support from each vendor who will usually have this available on their website.
To make the case to your development team:
- Explain the concept of virtual hardware and how it differs from physical hardware.
- Show support statements from application vendors.
- Explain resource pools and how features like resource schedulers work.
- Demonstrate a tool like Snapshot Manager and show how to clone servers.
Selling virtualization to security groups
Security people tend to put up the most resistance. The most common fear among security specialists is that a VM will be compromised and allow access to the host and other VMs. This is commonly known as "escaping the cave," an issue with VMware-hosted products like Workstation and Server and less an issue with ESX, which is a very secure platform by default. A properly secured and patched ESX server has almost no chance of having this happen to it. Of course, a vulnerability may be discovered, but VMware has had a good security track record to date.
Another fear is that a virtual machine with its virtual disk on a storage area network (SAN) logical unit number (LUN) may allow an attacker access to other data on that LUN or on the SAN fabric itself. A VM has no direct access to the fiber channel cards in a host system and therefore cannot see anything beyond the virtual disk assigned to it.
To make the case to your security team:
- Explain how the virtualization layer works and how virtual machines are kept isolated from each other even while sharing the same physical hardware.
- Explain that virtual machines should be secured the same way as physical systems and that the guest operating system on a VM is subject to the same security risks as a physical system.
- Allow them access to a virtual machine so they can test it for themselves.
Selling virtualization to management groups
Virtualization is an investment in savings: it costs money to implement but will provide significant cost savings soon after deployment. How much it affects TCO will depend on the virtualization product and which additional features, hardware, support and training will be required. When management looks at the initial price tag and asks why they need to spend so much money to virtualize their servers, a good way to respond is with a cost/benefit analysis explaining the benefits of virtualization and the cost savings that can be achieved by implementing it. VMware provides a nice TCO/ROI calculator to assist with this. And Platespin provides a power and cooling savings calculator on their website.With energy prices at record highs, showing the significant savings on power and cooling that virtualization can achieve will go a long way in convincing management that virtualization is a sound investment.
To make the case to your management team:
- Provide a high-level executive overview of your virtualization technology.
- Explain the benefits and cost savings that can be achieved with virtualization.
- Show them customer success stories provided by vendors.
- Demonstrate advanced features, such as VMware HA and vMotion.
To help in presenting virtualization technology to each group, here are a few more tips:
- First, make sure you understand the product yourself. Download an evaluation copy and read through documentation and technical papers. You may also want to contact the virtualization vendor and their business partners to assist you with this.
- Next, put together a presentation for each group that provides a general overview of virtualization and specifically addresses any concerns that might be raised. Customize your presentations to each audience.
- Include a demonstration of some of the features that virtualization provides.
- Provide technical papers to each group on their areas of interest. VMware has many available for use and several that specifically combat security concerns discussed in this article.
When you complete your presentation with each group, everyone should come away from it knowing much more about virtualization and hopefully be excited about assisting in implementing it, making your virtualization project a success.
About the author: Eric Siebert is a 25-year IT veteran with experience in programming, networking, telecom and systems administration. He is a guru-status moderator on the VMware community VMTN forum and maintains VMware-land.com, a VI3 information site.